Discussion:
Vulnerability mitigation with OSPROTECT
(too old to reply)
Roland Fernandez
2018-08-10 16:11:05 UTC
Permalink
Good Friday Everyone!

Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet? I'm primarily concerned about the overhead and how (or even if) it can be derived from the usual metrics.

This is the z/OS portion of the Meltdown mitigation implemented via APAR OA55233. It only works if you have the appropriate MCLs applied.

The Init and Tuning Reference was recently update to include this parameter. The guidance for OSPROTECT=1 cites a "...minor impact to system performance and/or workload execution." I presume "minor" could be subjective depending on your workload characteristics.

Thanks for your input!
Roland Fernandez
Pacific Life

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2018-08-10 17:43:36 UTC
Permalink
It's applied everywhere at IBM Dallas but we are just now starting to test.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Roland Fernandez
Sent: Friday, August 10, 2018 9:11 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Vulnerability mitigation with OSPROTECT

Good Friday Everyone!

Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet? I'm primarily concerned about the overhead and how (or even if) it can be derived from the usual metrics.

This is the z/OS portion of the Meltdown mitigation implemented via APAR OA55233. It only works if you have the appropriate MCLs applied.

The Init and Tuning Reference was recently update to include this parameter. The guidance for OSPROTECT=1 cites a "...minor impact to system performance and/or workload execution." I presume "minor" could be subjective depending on your workload characteristics.

Thanks for your input!
Roland Fernandez
Pacific Life

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2018-08-10 23:56:48 UTC
Permalink
Post by Roland Fernandez
Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet? I'm primarily concerned about the overhead and how (or even if) it can be derived from the usual metrics.
This is the z/OS portion of the Meltdown mitigation implemented via APAR OA55233. It only works if you have the appropriate MCLs applied.
Hey, Roland! Keith Sisson plans to discuss this in the the Bit Bucket at
SHARE in St Louis on Friday. Will you be here?
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/

--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
scott Ford
2018-08-11 18:13:45 UTC
Permalink
Guys,

Does this new APAR effect running APF mode in programs or MODE=SUP mode ?

Scott

P.S. I wished I could see you guys in St. Louis
Post by Roland Fernandez
Post by Roland Fernandez
Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet?
I'm primarily concerned about the overhead and how (or even if) it can be
derived from the usual metrics.
Post by Roland Fernandez
This is the z/OS portion of the Meltdown mitigation implemented via APAR
OA55233. It only works if you have the appropriate MCLs applied.
Hey, Roland! Keith Sisson plans to discuss this in the the Bit Bucket at
SHARE in St Louis on Friday. Will you be here?
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Scott Ford
IDMWORKS
z/OS Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2018-08-11 18:35:29 UTC
Permalink
IBM being very tight-lipped. 
It seems like something of a catch-all to me, and I suspect at least some of it affects EVERY program. 



CharlesSent from a mobile; please excuse the brevity.
-------- Original message --------From: scott Ford <***@GMAIL.COM> Date: 8/11/18 11:13 AM (GMT-08:00) To: IBM-***@LISTSERV.UA.EDU Subject: Re: Vulnerability mitigation with OSPROTECT
Guys,

Does this new APAR effect running APF mode in programs or MODE=SUP mode  ?

Scott

P.S. I wished I could see you guys in St. Louis
Post by Roland Fernandez
Post by Roland Fernandez
Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet?
I'm primarily concerned about the overhead and how (or even if) it can be
derived from the usual metrics.
Post by Roland Fernandez
This is the z/OS portion of the Meltdown mitigation implemented via APAR
OA55233.  It only works if you have the appropriate MCLs applied.
Hey, Roland! Keith Sisson plans to discuss this in the the Bit Bucket at
SHARE in St Louis on Friday. Will you be here?
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Scott Ford
IDMWORKS
z/OS Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
scott Ford
2018-08-11 22:20:47 UTC
Permalink
Charles,

That suspension makes sense to me...

Scott
Post by Charles Mills
IBM being very tight-lipped.
It seems like something of a catch-all to me, and I suspect at least some
of it affects EVERY program.
CharlesSent from a mobile; please excuse the brevity.
Subject: Re: Vulnerability mitigation with OSPROTECT
Guys,
Does this new APAR effect running APF mode in programs or MODE=SUP mode ?
Scott
P.S. I wished I could see you guys in St. Louis
Post by Roland Fernandez
Post by Roland Fernandez
Has anyone implemented OSPROTECT=SYSTEM or OSPROTECT=1 in IEASYSxx yet?
I'm primarily concerned about the overhead and how (or even if) it can be
derived from the usual metrics.
Post by Roland Fernandez
This is the z/OS portion of the Meltdown mitigation implemented via
APAR
Post by Roland Fernandez
OA55233. It only works if you have the appropriate MCLs applied.
Hey, Roland! Keith Sisson plans to discuss this in the the Bit Bucket at
SHARE in St Louis on Friday. Will you be here?
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
Post by Roland Fernandez
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination,
distribution,
Post by Roland Fernandez
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all
copies
Post by Roland Fernandez
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the
recipient
Post by Roland Fernandez
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Scott Ford
IDMWORKS
z/OS Development
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Scott Ford
IDMWORKS
z/OS Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2018-08-13 08:22:34 UTC
Permalink
There's a great deal of information published here:

http://publibz.boulder.ibm.com/zoslib/pdf/OA54807.pdf

As that document indicates, please refer to the official publication
updates themselves for the latest authoritative information.

I see that CA has published lots of (non) impact statements within the past
couple weeks, with no problems reported or expected in ACF2, MIMS, CA1,
MICS, and Datacom, as examples.

As a reminder, please subscribe to the IBM Z Security Portal if you need
to. Details here:

https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03054USEN

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM Z & LinuxONE
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
scott Ford
2018-08-13 12:58:55 UTC
Permalink
Timothy,

Thanks kind sir I will take a look.

Scott
Post by Timothy Sipples
http://publibz.boulder.ibm.com/zoslib/pdf/OA54807.pdf
As that document indicates, please refer to the official publication
updates themselves for the latest authoritative information.
I see that CA has published lots of (non) impact statements within the past
couple weeks, with no problems reported or expected in ACF2, MIMS, CA1,
MICS, and Datacom, as examples.
As a reminder, please subscribe to the IBM Z Security Portal if you need
https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03054USEN
--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM Z & LinuxONE
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Scott Ford
IDMWORKS
z/OS Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...